2026-06-104 mincritical

Security Advisory 2026-008

Ivanti has disclosed two critical vulnerabilities in its Sentry products, including an OS command injection flaw (CVE-2026-10520) and an authentication bypass vulnerability (CVE-2026-10523). These vulnerabilities allow remote, unauthenticated attackers to achieve root-level remote code execution and create arbitrary administrative accounts on affected devices.

Sens:■ ImmediateConf:highAnalyzed:2026-06-10Google

IOCs · 2

.txt .json

cve
CVE-2026-10520
cve
CVE-2026-10523

Detection / HunterGoogle

What Happened

Two critical security flaws have been discovered in Ivanti Sentry, a system used by organizations to manage mobile devices and secure email access. These vulnerabilities affect versions 10.7.0 and older, allowing attackers to take complete control of the system or create fake administrator accounts without needing a password. This is highly dangerous because it gives unauthorized individuals deep access to corporate networks. Organizations using Ivanti Sentry should immediately apply the security updates provided by the vendor to protect their systems.

Key Takeaways

Ivanti Sentry products are affected by two critical vulnerabilities allowing unauthenticated remote code execution.
CVE-2026-10520 (CVSS 10.0) is an OS command injection flaw leading to root-level RCE.
CVE-2026-10523 (CVSS 9.9) is an authentication bypass vulnerability allowing the creation of arbitrary administrative accounts.
Ivanti Sentry versions 10.5.1, 10.6.1, and 10.7.0 (and prior) are vulnerable.
Immediate patching is recommended per vendor guidance.

Affected Systems

Ivanti Sentry 10.5.1 and prior
Ivanti Sentry 10.6.1 and prior
Ivanti Sentry 10.7.0 and prior

Vulnerabilities (CVEs)

CVE-2026-10520
CVE-2026-10523

Attack Chain

An unauthenticated remote attacker targets a vulnerable Ivanti Sentry appliance. By exploiting CVE-2026-10523, the attacker can bypass authentication mechanisms to create an arbitrary administrative account. Alternatively or sequentially, the attacker can exploit CVE-2026-10520 via OS command injection to execute arbitrary commands, ultimately achieving root-level remote code execution on the device.

Detection Availability

YARA Rules: No
Sigma Rules: No
Snort/Suricata Rules: No
KQL Queries: No
Splunk SPL Queries: No
EQL Queries: No
Other Detection Logic: No

No specific detection rules are provided in the advisory.

Detection Engineering Assessment

EDR Visibility: Low — Ivanti Sentry is a proprietary appliance, which typically restricts or prevents the installation of standard third-party EDR agents, limiting host-level visibility. Network Visibility: Medium — Network traffic analysis and WAFs may detect command injection payloads or anomalous administrative account creation requests if SSL/TLS inspection is enabled. Detection Difficulty: Moderate — Without EDR on the appliance, defenders must rely on network telemetry and application logs, which may not be centrally collected or easily parsed for zero-day exploitation patterns.

Required Log Sources

Web Application Firewall (WAF) Logs
Application Authentication Logs
System/Audit Logs

Hunting Hypotheses

copy:

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for anomalous administrative account creation events in Ivanti Sentry authentication logs, which may indicate exploitation of CVE-2026-10523.	Application Authentication Logs	Persistence	Low
Evaluate web access logs for unusual HTTP requests containing shell metacharacters or command injection payloads targeting Sentry endpoints.	WAF/Web Access Logs	Initial Access	Medium

Control Gaps

Lack of EDR deployment capabilities on proprietary network appliances
Insufficient WAF rules for detecting novel command injection techniques

Key Behavioral Indicators

Unexpected creation of new administrative accounts
Spawning of unexpected shell processes (e.g., sh, bash) from the web service daemon (if system logs are available)

False Positive Assessment

Recommendations

Immediate Mitigation

Verify against your organization's incident response runbook and team escalation paths before acting.
Immediately apply the vendor-supplied patches for Ivanti Sentry to remediate CVE-2026-10520 and CVE-2026-10523.
Review Sentry user accounts for any unauthorized or recently created administrative accounts.

Infrastructure Hardening

Consider restricting access to the Ivanti Sentry administrative interface to trusted internal IP addresses or dedicated management VLANs.
Evaluate whether Web Application Firewalls (WAF) are configured to inspect traffic to Sentry appliances for command injection attempts.

User Protection

If supported by the appliance, consider enforcing Multi-Factor Authentication (MFA) for all administrative access.

Security Awareness

Consider educating administrators on the importance of monitoring appliance health and applying critical vendor updates promptly.

MITRE ATT&CK Mapping

T1190 - Exploit Public-Facing Application
T1078 - Valid Accounts
T1059.004 - Command and Scripting Interpreter: Unix Shell